Serial Network Security with Device Routers
As security continues to be in the forefront of the challenges facing designers of industrial networks, legacy systems, using serial intelligent electronic devices (IEDs) and other serial network components that have been operating faithfully for years, have become a significant concern. Typically separate from newer Ethernet deployments, they fall outside any automated security strategy, yet t...
As security continues to be in the forefront of the challenges facing designers of industrial networks, legacy systems, using serial intelligent electronic devices (IEDs) and other serial network components that have been operating faithfully for years, have become a significant concern. Typically separate from newer Ethernet deployments, they fall outside any automated security strategy, yet their splendid isolation can make them a target for attack.
This diagram shows typical network architecture, including serial devices interfaced with the Ethernet core.
This decades-long accumulation of industrial devices that utilize asynchronous, serial protocols for operational applications, such as supervisory control and data acquisition (SCADA) and for industrial device console interfaces, can have its serial communications requirements met via separate networks distinct from Internet protocol (IP)/Ethernet infrastructure. But there is no way to implement managed remote cyber security for traditional serial applications. For an effective communications-system-wide security program, as well as overall network efficiency, it would be better to integrate serial devices on the edge of industrial networks with the central IP/Ethernet network for ease of management and to extend IP-based cyber security features to the serial edge of the network.
Holistic architectures are coming on the market that allow the serial edge to be an integral part of an automated, secure network system. An emerging class of products called serial device routers supports architecture that allows managers to design and control integrated industrial networks that provide monitoring, management, and security for the entire network, including legacy systems.
Integrating industrial networks
A holistic view of the emerging industrial network uses Ethernet switches as a universal connectivity medium at the core of the network, and then surrounds this core with edge and access layers for Ethernet devices, serial devices and wide area network connections. See graphic.
At the Ethernet edge of this architecture, IP-ready industrial devices connect directly to the core network, or via Ethernet edge switches that are deployed near distributed industrial devices. The wide area network (WAN) access element of the architecture enables remote systems or personnel to access industrial devices in the local network. In addition to physical layer interfaces to WAN facilities, WAN access requires IP routing for interconnection of different Ethernet networks and perimeter-security capabilities, such as an IP firewall.
The serial edge has historically been implemented as a separate network. While the Ethernet and serial domains may share a common WAN access element, it has been difficult to share a local Ethernet infrastructure.
Relatively static, dedicated networks have been developed for connecting serial devices and interfaces to central data collectors and/or to basic remote access facilities. Devices may be connected to dedicated modem connections for remote access, or some limited shared WAN access may be provided by a local data concentrator for both an operational data interface, such as SCADA, and a separate interface for serial console access. A major drawback is that static serial edge networks rely on dedicated connections for each application. Thus, adding new industrial devices (ID) or new systems means adding new dedicated connections. Console access to devices is also highly restricted, inhibiting efficient access by remote technical personnel. Connections are hard-wired with no resiliency against faults and no remote management of network elements.
Serial device routers are a class of devices that offer intelligent serial-IP networking, leverage the Ethernet infrastructure to take advantage of the ubiquity, performance, security and resiliency offered by the emerging Ethernet core architecture. A new dynamic serial edge is created by their deployment adjacent to distributed industrial serial devices to provide serial-IP/Ethernet connectivity into the common local core network. Because they are specially designed for industrial applications, these devices can be widely distributed within even the harshest environments. In addition, multiple serial connections may be attached to the same industrial device. For example, both an operational data interface, such as SCADA, and serial console access can share a serial device router.
A serial device router can provide fieldbus connectivity using Modbus/TCP on the existing Ethernet core.
A fieldbus example
Security often has not been a concern of fieldbuses because they are typically closed systems. However, when IP-based devices enter the picture, security with fieldbus systems becomes a concern. Serial device routers have the data manipulation capability and the intelligence to address cyber security concerns.
There are numerous serial devices in industrial control system environments. Many systems have standardized on serial-mode DNP (distributed network protocol) and Modbus protocols. Modbus fieldbus technology allows for serial communications among many devices connected to the same network. For example, Modbus is often used to connect a supervisory computer with a remote terminal unit (RTU) in serial SCADA systems.
Because Modbus is an important and widely deployed serial technology, the ability of a serial device router to integrate Modbus/RTU and Modbus/ASCII serial devices with newer TCP/IP network devices is particularly important. Utilizing Modbus/TCP, an extension of Modbus/RTU, it is possible to encode Modbus messages within and transport over TCP/IP-based networks to support client (master) and server (slave) modes of operation. This approach can integrate Modbus devices into an Ethernet-core integrated industrial network to extend Ethernet-based management and cyber security functionality to Modbus devices in an industrial facility.
Other serial approaches
Like a serial device router, traditional terminal servers, serial device servers, or console servers provide the basic function of serial-to-TCP/IP protocol encapsulation and connectivity to an Ethernet network. Serial device routers, however, integrate the multiple functions of a terminal server, an Ethernet switch and an IP router and firewall, which can enhance management, resiliency and security capabilities for serial devices. Traditional terminal servers and other serial server devices have no intelligence, and therefore no security capability. This may not be a problem if the connected serial devices are in a secure area and access is restricted to trusted employees. For example, use of security techniques such as per-port virtual local area networks (VLANs), are not possible with terminal servers. Today’s emphasis on security preparedness rather than trust, however, suggests that communications management should include a unified security system that is vigilant toward not only external attack, but also unauthorized use by personnel or systems within the installation. An SDR has the flexibility to play many roles in industrial networks, including acting as a perimeter security appliance (such as firewalls and VLANs) for remote locations, as a watchdog for activity on a serial port, or as a layer-3 (IP protocol) gateway among Ethernet network domains.
The serial device router is also designed for industrial environments with hardening to withstand extreme temperatures, electrical surges, EMI, and corrosive, high particulate, or high humidity environments. These hardened devices enable reliable deployment in applications where terminal servers, typically available only in commercial grade, will not operate.
New industrial routers incorporate SDR capabilities to provide WAN connectivity to integrated networks supporting both dynamic Ethernet and dynamic serial edges.
Cyber security features
Cyber security becomes more urgent when remote access is enabled, and remote access is critical for efficient support of many industrial functions. In some industries, such as electric power transmission, implementing remote access brings regulatory obligations for cyber security protection of critical infrastructure. In addition to perimeter security via a WAN-access firewall function, full cyber protection requires rigorous port security for industrial devices including authentication and encryption of serial connections by remote systems and personnel on an end-to-end basis, extending locally to the serial port itself. Serial device routers have IP capability, allowing them to support secure socket layer (SSL) sessions from remote systems and PC-based remote personnel with authentication that is specific to individual serial ports, in addition to high-performance, hardware-assisted encryption of traffic all the way to the edge of the local network. Serial device routers also have the capability for associating serial ports into closed communities of interest using capabilities such as Ethernet 802.1Q VLAN technology, which allows per-port assignment of serial ports within the network to different VLANs.
A serial device router enables the creation of a dynamic serial edge that meets many critical business objectives of industrial network designers and planners. In addition to extending cyber security to the edge of the industrial network for serial devices, and facilitating compliance with cyber security standards, serial device routers can improve network reliability and thus associated operational system and process reliability. The result is improved SCADA system reliability, achieved by increased security and resiliency of local network connections.
Serial device routers protect existing investment in industrial equipment by network-enabling serial devices for access by remote systems and personnel. Deployment of additional industrial devices and systems is made more cost-effective by leveraging the Ethernet core network in industrial environments, including cyber security, and by building for long-term project life cycles with open standards technology.
New and evolving application requirements, such as comprehensive cyber security mandates and heightened concerns for overall system reliability, require new views of industrial network architecture. Serial devices within the network add security challenges because they do not easily fit within IP-enabled security systems. Moreover, each application requires its own individual uplink, adding complexity to new deployments. With an integrated approach to the design and planning of multi-protocol industrial networks now available, network planners and designers can use the emerging product class of serial device routers to facilitate an integrated, secure and reliable industrial network.
Howard Linton, is director of application engineering, GarrettCom Inc. Reach him at firstname.lastname@example.org .